From 5591bf07225523600450edd9e6ad258bb877b779 Mon Sep 17 00:00:00 2001 From: Dan Rosenberg Date: Tue, 28 Sep 2010 14:18:20 -0400 Subject: ALSA: prevent heap corruption in snd_ctl_new() The snd_ctl_new() function in sound/core/control.c allocates space for a snd_kcontrol struct by performing arithmetic operations on a user-provided size without checking for integer overflow. If a user provides a large enough size, an overflow will occur, the allocated chunk will be too small, and a second user-influenced value will be written repeatedly past the bounds of this chunk. This code is reachable by unprivileged users who have permission to open a /dev/snd/controlC* device (on many distros, this is group "audio") via the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls. Signed-off-by: Dan Rosenberg Cc: Signed-off-by: Takashi Iwai --- sound/core/control.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'sound') diff --git a/sound/core/control.c b/sound/core/control.c index 070aab49019..45a818002d9 100644 --- a/sound/core/control.c +++ b/sound/core/control.c @@ -31,6 +31,7 @@ /* max number of user-defined controls */ #define MAX_USER_CONTROLS 32 +#define MAX_CONTROL_COUNT 1028 struct snd_kctl_ioctl { struct list_head list; /* list of all ioctls */ @@ -195,6 +196,10 @@ static struct snd_kcontrol *snd_ctl_new(struct snd_kcontrol *control, if (snd_BUG_ON(!control || !control->count)) return NULL; + + if (control->count > MAX_CONTROL_COUNT) + return NULL; + kctl = kzalloc(sizeof(*kctl) + sizeof(struct snd_kcontrol_volatile) * control->count, GFP_KERNEL); if (kctl == NULL) { snd_printk(KERN_ERR "Cannot allocate control instance\n"); -- cgit v1.2.3 From e913b146493993c8ac33561655c590e58b500c6f Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Thu, 30 Sep 2010 22:59:12 +0200 Subject: ALSA: i2c/other/ak4xx-adda: Fix a compile warning with CONFIG_PROCFS=n Signed-off-by: Takashi Iwai --- sound/i2c/other/ak4xxx-adda.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'sound') diff --git a/sound/i2c/other/ak4xxx-adda.c b/sound/i2c/other/ak4xxx-adda.c index 1adb8a3c2b6..42d7844ecd0 100644 --- a/sound/i2c/other/ak4xxx-adda.c +++ b/sound/i2c/other/ak4xxx-adda.c @@ -900,7 +900,7 @@ static int proc_init(struct snd_akm4xxx *ak) return 0; } #else /* !CONFIG_PROC_FS */ -static int proc_init(struct snd_akm4xxx *ak) {} +static int proc_init(struct snd_akm4xxx *ak) { return 0; } #endif int snd_akm4xxx_build_controls(struct snd_akm4xxx *ak) -- cgit v1.2.3 From d4cfa4d12f46e2520f4c1d1a92e891ce068b7464 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Sun, 10 Oct 2010 19:33:52 +0200 Subject: OSS: soundcard: locking bug in sound_ioctl() We shouldn't return directly here because we're still holding the &soundcard_mutex. This bug goes all the way back to the start of git. It's strange that no one has complained about it as a runtime bug. CC: stable@kernel.org Signed-off-by: Dan Carpenter Acked-by: Arnd Bergmann Signed-off-by: Takashi Iwai --- sound/oss/soundcard.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'sound') diff --git a/sound/oss/soundcard.c b/sound/oss/soundcard.c index 92aa762ffb7..07f803e6d20 100644 --- a/sound/oss/soundcard.c +++ b/sound/oss/soundcard.c @@ -391,11 +391,11 @@ static long sound_ioctl(struct file *file, unsigned int cmd, unsigned long arg) case SND_DEV_DSP: case SND_DEV_DSP16: case SND_DEV_AUDIO: - return audio_ioctl(dev, file, cmd, p); + ret = audio_ioctl(dev, file, cmd, p); break; case SND_DEV_MIDIN: - return MIDIbuf_ioctl(dev, file, cmd, p); + ret = MIDIbuf_ioctl(dev, file, cmd, p); break; } -- cgit v1.2.3 From 9b2167d59f38691b86430ce559c7fa9d4f973b1f Mon Sep 17 00:00:00 2001 From: Luke Yelavich Date: Wed, 6 Oct 2010 15:45:46 +1100 Subject: ALSA: hda - Add another HP DV6 quirk BugLink: https://bugs.launchpad.net/bugs/653420 Add another HP DV6 notebook (103c:363e) to use STAC_HP_DV5. Signed-off-by: Luke Yelavich Signed-off-by: Takashi Iwai --- sound/pci/hda/patch_sigmatel.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'sound') diff --git a/sound/pci/hda/patch_sigmatel.c b/sound/pci/hda/patch_sigmatel.c index 95148e58026..c16c5ba0fda 100644 --- a/sound/pci/hda/patch_sigmatel.c +++ b/sound/pci/hda/patch_sigmatel.c @@ -1747,6 +1747,8 @@ static struct snd_pci_quirk stac92hd71bxx_cfg_tbl[] = { "HP dv6", STAC_HP_DV5), SND_PCI_QUIRK(PCI_VENDOR_ID_HP, 0x3061, "HP dv6", STAC_HP_DV5), /* HP dv6-1110ax */ + SND_PCI_QUIRK(PCI_VENDOR_ID_HP, 0x363e, + "HP DV6", STAC_HP_DV5), SND_PCI_QUIRK_MASK(PCI_VENDOR_ID_HP, 0xfff0, 0x7010, "HP", STAC_HP_DV5), SND_PCI_QUIRK(PCI_VENDOR_ID_DELL, 0x0233, -- cgit v1.2.3 From aa73aec6c385e2c797ac25cc7ccf0318031de7c8 Mon Sep 17 00:00:00 2001 From: Clemens Ladisch Date: Fri, 15 Oct 2010 12:06:18 +0200 Subject: ALSA: rawmidi: fix oops (use after free) when unloading a driver module When a driver module is unloaded and the last still open file is a raw MIDI device, the card and its devices will be actually freed in the snd_card_file_remove() call when that file is closed. Afterwards, rmidi and rmidi->card point into freed memory, so the module pointer is likely to be garbage. (This was introduced by commit 9a1b64caac82aa02cb74587ffc798e6f42c6170a.) Signed-off-by: Clemens Ladisch Reported-by: Krzysztof Foltman Cc: 2.6.30-2.6.35 Signed-off-by: Takashi Iwai --- sound/core/rawmidi.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'sound') diff --git a/sound/core/rawmidi.c b/sound/core/rawmidi.c index a7868ad4d53..cbbed0db9e5 100644 --- a/sound/core/rawmidi.c +++ b/sound/core/rawmidi.c @@ -535,13 +535,15 @@ static int snd_rawmidi_release(struct inode *inode, struct file *file) { struct snd_rawmidi_file *rfile; struct snd_rawmidi *rmidi; + struct module *module; rfile = file->private_data; rmidi = rfile->rmidi; rawmidi_release_priv(rfile); kfree(rfile); + module = rmidi->card->module; snd_card_file_remove(rmidi->card, file); - module_put(rmidi->card->module); + module_put(module); return 0; } -- cgit v1.2.3